2014-01-13 256 views
0

我正在写一个简单的网络应用程序使用弹簧安全3.2.0和弹簧框架4.x.我可以看到用户名/密码通过自定义auth提供程序,但实际的身份验证没有完成;也就是说,输入错误的密码我仍然采取后登录URL /仪表板...弹簧安全不认证

web.xml时,

<?xml version="1.0" encoding="UTF-8"?> 
    <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" 
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> 

    <context-param> 
     <param-name>contextConfigLocation</param-name> 
      <param-value> 
       /WEB-INF/spring-config.xml 
       /WEB-INF/spring-security-config.xml 
      </param-value> 
    </context-param> 

    <listener> 
     <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> 
    </listener> 

    <servlet> 
     <servlet-name>frontController</servlet-name> 
     <servlet-class> 
     org.springframework.web.servlet.DispatcherServlet 
    </servlet-class> 
    </servlet> 
    <filter> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> 
    </filter> 

    <filter-mapping> 
     <filter-name>springSecurityFilterChain</filter-name> 
     <url-pattern>/*</url-pattern> 
    </filter-mapping> 

    <servlet-mapping> 
     <servlet-name>frontController</servlet-name> 
     <url-pattern>/*</url-pattern> 
    </servlet-mapping> 

    </web-app> 

弹簧安全-config.xml中

<?xml version="1.0" encoding="UTF-8"?> 

<beans:beans xmlns="http://www.springframework.org/schema/security" 
    xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
    xsi:schemaLocation="http://www.springframework.org/schema/beans 
      http://www.springframework.org/schema/beans/spring-beans-4.0.xsd 
      http://www.springframework.org/schema/security 
      http://www.springframework.org/schema/security/spring-security.xsd"> 
    <http> 
     <intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" /> 
     <intercept-url pattern="/dashboard*" access="ROLE_USER" /> 

     <form-login login-page='/login' default-target-url='/dashboard' 
      always-use-default-target='true' authentication-failure-url="/login?error=true" /> 
     <logout logout-success-url="/" /> 

    </http>  
    <authentication-manager alias="authenticationManager"> 
     <authentication-provider ref="myAuthenticationProvider" /> 

    </authentication-manager> 

</beans:beans> 

自定义auth提供程序除了委托给用户服务外不会执行任何操作:

public class AuthenticationProvider extends DaoAuthenticationProvider { 
    //nothing here 
} 

并且用户服务获取由ID用户详情,并注入到上述的身份验证提供者:

public class UserLoginService implements UserDetailsService{ 

    public UserDetails loadUserByUsername(String username) 
      throws UsernameNotFoundException { 
    UserDetail ud = new UserDetail(); 
    User u = new User(); 
    ud.setUser(u); 
    u.setUsername("reza"); 
    u.setPassword("reza"); 
    u.setAccountNonExpired(true); 
    u.setAccountNonLocked(true); 
    u.setCredentialsNonExpired(true); 
    u.setEnabled(true); 
    u.setRole("ROLE_USER"); 
    return ud; 
    } 


public class UserDetail implements org.springframework.security.core.userdetails.UserDetails { 

    User user; 
    @Override 
    public Collection<? extends GrantedAuthority> getAuthorities() { 
     List<GrantedAuthority> authList = new ArrayList<GrantedAuthority>(1); 
     authList.add(new SimpleGrantedAuthority(user.getRole())); 
     return authList; 
    } 
    @Override 
    public String getPassword() { 

     return user.getPassword(); 
    } 
    @Override 
    public String getUsername() { 
     return user.getUsername(); 
    } 
    @Override 
    public boolean isAccountNonExpired() { 
     return user.isAccountNonExpired(); 
    } 
    @Override 
    public boolean isAccountNonLocked() { 
     return user.isAccountNonLocked(); 
    } 
    @Override 
    public boolean isCredentialsNonExpired() { 
     return user.isCredentialsNonExpired(); 
    } 
    @Override 
    public boolean isEnabled() { 
     return user.isEnabled(); 
    } 
    public User getUser() { 
     return user; 
    } 
    public void setUser(User user) { 
     this.user = user; 
    } 
} 
+0

您确实需要为您的身份验证提供程序和UserDetailsS​​ervice添加代码。 –

+0

发布完整的UserLoginService – dhamibirendra

+0

我在auth提供程序中编写了authenticate方法,并调用了super.authenticate(),它工作正常。但对我来说这一步似乎没有必要...... – reza

回答

0

我改写的身份验证提供者的身份验证方法,并呼吁super.authenticate()和它的工作。